Strongswan and Cisco ASR5000 SeGW

1. strongswan would enumerate all the available transform in the first IKE_SA_INIT. But it might be too much and there are some that are not recognizable by Cisco SeGW, and SeGW will just drop it and no response.....
   

   ike=aes128-sha1-prfsha1-

   modp1024,aes256-sha1-prfsha1-modp1024,3des-md5-prfmd5-modp1024,3des-sha1-prfsha1-modp1024,des-sha1-prfsha1-modp1
   esp=aes128-sha1-modp1024,3des-md5

   Cisco SeGW reports:
   

   Too Many Transforms:             110

   And dump the packet at Cisco show something like:
   

   (........a lot of transforms.........)
   
         Transform Header #39

           Last                 (U08): Yes/0 (0x00)

           Reserved             (U08): 0

           Transform Length     (U16): 8 (0x8) bytes

           Transform Type       (U08): DHGROUP/4 (0x04)

           Reserved             (U08): 0

           Transform ID         (U16): UNKNOWN/30 (0x001E)

   FIX: To fix this, force to use only one of the transform instead let it choose automatically, e.g.
   

   ike=aes128-sha1-prfsha1-modp1024!
   esp=aes128-sha1-modp1024!
    

2. By default the mobike is enabled in strongswan, while Cisco SeGW doesn't support it. The tunnel is created without any problem. However, all packets encrypted with ESP is received by SeGW, but "somehow" not recognized. For example, encrypted ping request is received by SeGW, but not decrypted and is dropped.
   And on strongswan PC, all encrypted ping from SeGW is not received.
   
   FIX: Disable mobike will fix this issue.
   

   mobike=no